DETAILED ACTION
The following is a Final Office Action in response to communications filed August 28, 2025. Claims 11–17 are amended, and claim 19 is newly added. Currently, claims 1–19 are pending, of which claims 1–10 are withdrawn from consideration.
Response to Amendment/Argument
Applicant’s Response is sufficient to obviate the previous interpretation under 35 U.S.C. 112(f). Accordingly, the previous interpretation under 35 U.S.C. 112(f) is withdrawn.
Applicant’s Response is sufficient to overcome the previous rejection of claim 15 under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. Accordingly, the previous rejection of claim 15 under 35 U.S.C. 112(b) is withdrawn.
Applicant’s Response is sufficient to overcome the previous rejection of claims 11–18 under 35 U.S.C. 101 as being directed to non-statutory subject matter. More particularly, the additional elements of independent claims 11 and 16, including the elements for “modifying the organization operating system based on the recommended plan,” integrate the abstract idea into a practical application under Step 2A Prong Two because the additional elements embody an improvement to other technology or technical field. Accordingly, the previous rejection of claims 11–18 under 35 U.S.C. 101 is withdrawn.
With respect to the previous rejections under 35 U.S.C. 102(a)(1) and 35 U.S.C. 103, Applicant’s remarks have been fully considered but are not persuasive.
Applicant first asserts that the reference to Vescio does not disclose scenario data that includes “an agent, an intent, a state, a valuable, and a surface”. Applicant’s remarks are directed to newly amended subject matter, which is addressed for the first time herein. Accordingly, Examiner directs Applicant to the relevant explanation below.
With respect to claim 16, Applicant asserts that Eling does not disclose a quantile-dot plot. Applicant’s remarks have been fully considered but are moot in view of the updated grounds of rejection asserted below.
Accordingly, Applicant’s remarks are not persuasive, and Examiner directs Applicant to the relevant explanation below.
Information Disclosure Statement
The information disclosure statement filed September 3, 2025 fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed. More particularly, the IDS filed on September 3, 2025 lists 16 non-patent literature documents. Although Applicant’s filing includes identifiable copies of documents 1, 4–9, 13, and 16, Applicant’s filing does not include identifiable copies for items 2–3, 10–12, and 14–15. The information disclosure statement has been placed in the application file, but the information referred to therein has not been considered.
Claim Objections
The amendment to the claims filed on August 28, 2025 does not comply with the requirements of 37 CFR 1.121(c) because the amendments to claim 16 are improper. Amendments to the claims filed on or after July 30, 2003 must comply with 37 CFR 1.121(c) which states:
(c) Claims. Amendments to a claim must be made by rewriting the entire claim with all changes (e.g., additions and deletions) as indicated in this subsection, except when the claim is being canceled. Each amendment document that includes a change to an existing claim, cancellation of an existing claim or addition of a new claim, must include a complete listing of all claims ever presented, including the text of all pending and withdrawn claims, in the application. The claim listing, including the text of the claims, in the amendment document will serve to replace all prior versions of the claims, in the application. In the claim listing, the status of every claim must be indicated after its claim number by using one of the following identifiers in a parenthetical expression: (Original), (Currently amended), (Canceled), (Withdrawn), (Previously presented), (New), and (Not entered).
(1) Claim listing. All of the claims presented in a claim listing shall be presented in ascending numerical order. Consecutive claims having the same status of “canceled” or “not entered” may be aggregated into one statement (e.g., Claims 1–5 (canceled)). The claim listing shall commence on a separate sheet of the amendment document and the sheet(s) that contain the text of any part of the claims shall not contain any other part of the amendment.
(2) When claim text with markings is required. All claims being currently amended in an amendment paper shall be presented in the claim listing, indicate a status of “currently amended,” and be submitted with markings to indicate the changes that have been made relative to the immediate prior version of the claims. The text of any added subject matter must be shown by underlining the added text. The text of any deleted matter must be shown by strike-through except that double brackets placed before and after the deleted characters may be used to show deletion of five or fewer consecutive characters. The text of any deleted subject matter must be shown by being placed within double brackets if strike-through cannot be easily perceived. Only claims having the status of “currently amended,” or “withdrawn” if also being amended, shall include markings. If a withdrawn claim is currently amended, its status in the claim listing may be identified as “withdrawn—currently amended.”
(3) When claim text in clean version is required. The text of all pending claims not being currently amended shall be presented in the claim listing in clean version, i.e., without any markings in the presentation of text. The presentation of a clean version of any claim having the status of “original,” “withdrawn” or “previously presented” will constitute an assertion that it has not been changed relative to the immediate prior version, except to omit markings that may have been present in the immediate prior version of the claims of the status of “withdrawn” or “previously presented.” Any claim added by amendment must be indicated with the status of “new” and presented in clean version, i.e., without any underlining.
(4) When claim text shall not be presented; canceling a claim.
(i) No claim text shall be presented for any claim in the claim listing with the status of “canceled” or “not entered.”
(ii) Cancellation of a claim shall be effected by an instruction to cancel a particular claim number. Identifying the status of a claim in the claim listing as “canceled” will constitute an instruction to cancel the claim.
(5) Reinstatement of previously canceled claim. A claim which was previously canceled may be reinstated only by adding the claim as a “new” claim with a new claim number.
Claim 16 includes a series of steps that are indicated numerically. More particularly, original claim 16 includes steps (a)–(f), and amended claim 16 includes steps (a)–(h). However, the amendments to claim 16 do not include proper markings denoting the amended numerical indicators. As a result, the amendments to claim 16 are improper. Examiner notes that future failures to comply with the requirements set forth under 37 CFR 1.121(c) may result in the issuance of a Notice of Non-Compliant Amendment.
Claim Rejections - 35 USC § 102(a)(1)
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 11 and 14–15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by VESCIO (U.S. 2018/0069882).
Claim 11: Vescio discloses a cybersecurity risk management system comprising:
a memory comprising computer readable instructions (See paragraph 41 and claim 14),
an organization operating system (See paragraphs 14–15, wherein an information system includes an operating system; see also paragraphs 68 and 71), and
a processor in communication with the memory, the processor being operable to execute the computer readable instructions such that the operations are performed (See paragraph 41 and claim 14) comprising:
receiving scenario data from a user (See paragraph 58, wherein a business profile is generated using surveys; see also paragraph 101, wherein scenario data is received from a user during simulation),
wherein said scenario data includes an agent (See paragraphs 67–68, wherein business profile assessment data includes identification of ransomware and ransomware types), an intent (See paragraphs 68 and 70, wherein an intended purpose of a given ransomware agent are identified), a state (See paragraphs 68 and 70, wherein an impact of the ransomware agent is identified), a valuable (See paragraphs 64 and 68, wherein data breach information is identified with respect to trade secrets, financial details, and proprietary information), and a surface (See FIG. 16 and paragraph 68, wherein ransomware agents are identified with respect to target computers),
notifying the user when said scenario data exceeds a predetermined threshold value (See FIG. 15 and paragraphs 107 and 114, wherein risk scores are identified with respect to configurable thresholds),
receiving control data from the user (See paragraphs 100–101, wherein the user tests control implementation by selecting controls for a given scenario),
wherein said control data includes at least one mitigation control and an associated cost (See paragraph 101, wherein controls are associated with an implementation cost),
mapping the control data to the scenario data to assess a monetary impact of the at least one mitigation control (See paragraph 101, wherein implemented controls are evaluated for a given scenario based on an implementation cost),
producing one or more plans, each plan including one or more of the at least one mitigation control (See FIG. 16 and paragraph 101, wherein control recommendations are provided; see also paragraphs 109–110),
producing a recommended plan based on the scenario data and the monetary impact of the at least one mitigation control (See FIG. 16 and paragraph 101, wherein control recommendations are provided based on an implementation cost; see also paragraphs 109–110),
projecting a visual distribution to a user based on the scenario data of an efficacy of the recommended plan (See FIG. 14 and paragraphs 101–102, wherein residual risk reports visualize control efficacy), and
modifying the organization operating system based on the recommended plan (See paragraphs 14 and 17, wherein the information system is modified in accordance with the provided recommendations; see also paragraphs 101, 105, and 112).
Claim 14: Vescio discloses the cybersecurity risk management system of claim 11, wherein the processor is operatively connected to a second component configured to provide a loss value associated with a risk scenario, said loss value derived from a public data source (See FIG. 14 and paragraphs 102–103, in view of paragraphs 65–67 and 93, wherein loss values are generated in association with a risk scenario based on probabilities, frequencies, and impacts; see also paragraphs 48–49 and 114, wherein intelligence sources provide updated threat intelligence information to manage a threat library, and wherein threat intelligence information includes known customer and industry likelihood and impact data).
Claim 15: Vescio discloses the cybersecurity risk management system of claim 11, wherein the processor is operatively connected to a third component configured to provide a loss value associated with a risk scenario, said loss value derived from internal data of an operating system (See FIG. 14 and paragraphs 102–103, in view of paragraphs 65–67 and 93, wherein loss values are generated in association with a risk scenario based on probabilities, frequencies, and impacts; see also FIG. 6 and paragraphs 62–64 and 72–74, wherein internal customer data is received for risk analysis).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 12–13 are rejected under 35 U.S.C. 103 as being unpatentable over VESCIO (U.S. 2018/0069882) in view of Mo et al. (Mo, Sheung Yin Kevin, Peter A. Beling, and Kenneth G. Crowther. "Quantitative assessment of cyber security risk using Bayesian Network-based model." 2009 Systems and Information Engineering Design Symposium. IEEE, 2009.).
Claim 12: As disclosed above, Vescio discloses the elements of claim 11. Although Vescio discloses a risk-modeling component used to recommend the risk mitigation control based on the scenario data (see citations above), Vescio does not expressly disclose the remaining claim elements.
Mo discloses wherein the processor utilizes a Bayesian network to recommend the at least one risk mitigation control based on the scenario data (See Methodology (III)(C), in view of the Abstract, wherein “[s]pecific areas of deficiency in their security systems can also be addressed” by analyzing a risk score derived using a Bayesian Network model).
Vescio discloses a system directed to measuring and modeling risks. Mo discloses a system directed to assessing risks using a Bayesian Network model. Each reference discloses a system directed to modeling and assessing risks. The technique of using a Bayesian network is applicable to the system of Vescio as they each share characteristics and capabilities; namely, they are directed to modeling and assessing risks.
One of ordinary skill in the art would have recognized that applying the known technique of Mo would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Mo to the teachings of Vescio would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate modeling and assessing risks into similar systems. Further, applying a Bayesian network to Vescio would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and more reliable results.
Claim 13: Vescio discloses the cybersecurity risk management system of claim 11, wherein the processor is operatively connected to a first component configured to provide a loss value associated with a risk scenario, said loss value derived from an estimate (See FIG. 14 and paragraphs 102–103, in view of paragraphs 65–67 and 93, wherein loss values are generated in association with a risk scenario based on probabilities, frequencies, and impacts; see also paragraphs 48–49 and 114, wherein intelligence sources provide updated threat intelligence information to manage a threat library, and wherein threat intelligence information includes known customer and industry likelihood and impact data). Vescio does not expressly disclose the remaining claim elements.
Mo discloses a component configured to provide a value associated with a risk scenario, said value derived from an expert estimate (See Methodology (III)(A), wherein the model “can be updated as additional information becomes available from external sources and experts”).
One of ordinary skill in the art would have recognized that applying the known technique of Mo would have yielded predictable results and resulted in an improved system for the same reasons as stated above with respect to claim 12.
Claims 16–18 are rejected under 35 U.S.C. 103 as being unpatentable over VESCIO (U.S. 2018/0069882) in view of Uanhoro et al. (Uanhoro, James Ohisei, and Steven Stone-Sabali. "Beyond Group Mean Differences: A Demonstration With Scale Scores in Psychology." Collabra: Psychology 9.1 (2023): 57610.).
Claim 16: Vescio disclose a method of managing cybersecurity risk comprising:
a. providing a cybersecurity risk management system comprising a processor (See paragraph 41) and a user-interface (See FIG. 14 and paragraphs 99–100, wherein the display includes one or more interactive utilities);
b. receiving, with the user-interface, scenario data and loss data from a user concerning a cybersecurity risk scenario (See paragraph 58, wherein a business profile is generated using surveys; see also paragraph 101, in view of FIG. 14 and paragraphs 99–100, wherein scenario data is received from a user during simulation via the interface),
wherein said scenario data includes an agent (See paragraphs 67–68, wherein business profile assessment data includes identification of ransomware and ransomware types), an intent (See paragraphs 68 and 70, wherein an intended purpose of a given ransomware agent are identified), a state (See paragraphs 68 and 70, wherein an impact of the ransomware agent is identified), a valuable (See paragraphs 64 and 68, wherein data breach information is identified with respect to trade secrets, financial details, and proprietary information), and a surface (See FIG. 16 and paragraph 68, wherein ransomware agents are identified with respect to target computers),
wherein the processor is configured to visualize on the user-interface the loss data in the form of a first interactive interface (See FIG. 14 and paragraphs 99–100, wherein the display includes one or more interactive utilities);
c. notifying, with the user-interface, the user if the scenario data exceeds a predetermined threshold value (See FIG. 15 and paragraphs 107 and 114, wherein risk scores are identified with respect to configurable thresholds),
d. determining, with a processor, a first expected monetary loss based on the scenario data (See FIG. 14 and paragraphs 100–101, wherein loss values are generated for a scenario);
e. receiving, with the user-interface, control data from the user (See FIG. 14 and paragraphs 100–101, wherein loss values are generated for a scenario with respect to selected controls);
f. receiving, with the user-interface, updated loss data from the user, wherein the processor is configured to visualize on the user-interface the updated loss data in the form of a second interactive interface (See FIG. 14 and paragraphs 100–101, wherein loss values are modified for a what-if scenario with respect to selected controls);
g. determining, with the processor, a second expected monetary loss based on the updated loss data (See FIG. 14 and paragraphs 100–101, wherein loss values are updated for the what-if scenario with respect to selected controls);
h. modifying an organization operating system based on the second expected monetary loss (See paragraphs 14 and 17, wherein the information system is modified in accordance with the provided recommendations; see also paragraphs 101, 105, and 112). Vescio does not expressly disclose the remaining claim elements.
Uanhoro discloses receiving data from a user, wherein the processor is configured to visualize on the user-interface the data in the form of a first quantile-dot plot and receiving, with the user-interface, updated data from the user, wherein the processor is configured to visualize on the user-interface the updated data in the form of a second quantile-dot plot (See FIG. 10, Abstract, and pages 8–9, wherein a researcher interacts with an application interface to generate quantile-dot plots for customized comparisons).
Vescio discloses a system directed to measuring and modeling risks using statistical analytics. Uanhoro discloses a system directed to modeling and analyzing data statistically. Each reference discloses a system directed to data analytics. The technique of using quantile-dot plots based on user inputs is applicable to the system of Vescio as they each share characteristics and capabilities; namely, they are directed to data analytics.
One of ordinary skill in the art would have recognized that applying the known technique of Uanhoro would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Uanhoro to the teachings of Vescio would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate data analytics into similar systems. Further, applying quantile-dot plots based on user inputs to Vescio would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and more reliable results.
Claim 17: Vescio discloses the method of managing cybersecurity risk of claim 16, wherein the method further comprises a step of mapping the control data to the scenario data before the step of receiving the updated loss data (See paragraph 85, wherein assessment data is mapped to the control framework).
Claim 18: Vescio discloses the method of managing cybersecurity risk of claim 16, wherein the method further comprises receiving project cost and project benefit data, and determining the second expected monetary loss based on the project cost data, the project benefit data, and the updated loss data (See FIG. 14 and paragraphs 100–101, wherein implementation projects are assessed with respect to implementation and effect costs in a what-if scenario assessment).
Claim 19 rejected under 35 U.S.C. 103 as being unpatentable over VESCIO (U.S. 2018/0069882) in view of BELFIORE, JR. et al. (U.S. 2018/0146004).
Claim 19: As an initial matter, Examiner submits that the elements of claim 19 are afforded limited patentable weight because the recited elements do no impact the recited system elements of claim 11. The elements are addressed only in the interest of compact prosecution.
As disclosed above Vescio discloses the elements of claim 11. Vescio further discloses the cybersecurity risk management system of claim 11, wherein the agent is an entity responsible for a cyber-attack (See paragraphs 67–68, wherein business profile assessment data includes identification of ransomware and ransomware types),
wherein the state is the impact of a cyber event (See paragraphs 68 and 70, wherein an impact of the ransomware agent is identified),
wherein the valuable is what is sought by the agent (See paragraphs 64 and 68, wherein data breach information is identified with respect to trade secrets, financial details, and proprietary information), and
wherein the surface is an item able to be exploited by the agent (See FIG. 16 and paragraph 68, wherein ransomware agents are identified with respect to target computers). Although Vescio discloses an agent intent (See paragraphs 68 and 70, wherein an intended purpose of a given ransomware agent are identified), Vescio does not expressly disclose the remaining claim elements.
Belfiore discloses wherein the intent is either deliberate or accidental (See paragraph 39, wherein accidental and malicious intents are considered).
Vescio discloses a system directed to measuring and modeling risks. Belfiore discloses a system directed to assessing cybersecurity risks. Each reference discloses a system directed to modeling and assessing risks. The technique of considering deliberate or accidental intents is applicable to the system of Vescio as they each share characteristics and capabilities; namely, they are directed to modeling and assessing risks.
One of ordinary skill in the art would have recognized that applying the known technique of Belfiore would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Belfiore to the teachings of Vescio would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate modeling and assessing risks into similar systems. Further, applying intent considerations to Vescio would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow more detailed analysis and more reliable results.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S BROCKINGTON III whose telephone number is (571)270-3400. The examiner can normally be reached M-F, 8am-5pm, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached at 571-272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623